Information Exposure Through Debug InformationID: 215 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
The application contains debugging code that can expose
sensitive information to untrusted parties.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read application
data | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Do not leave debug statements that could be executed in the source
code. Assure that all debug information is eradicated before releasing
the software. | | |
Architecture and Design | Separation of Privilege | Compartmentalize the system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area.Ensure that appropriate compartmentalization is built into the system
design and that the compartmentalization serves to allow for and further
reinforce privilege separation functionality. Architects and designers
should rely on the principle of least privilege to decide when it is
appropriate to use and to drop system privileges. | | |
RelationshipsThis overlaps other categories.
Related CWE | Type | View | Chain |
---|
CWE-215 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code reads a "debugEnabled" system property and writes
sensitive debug information to the client browser if true.
Observed Examples
- CVE-2004-2268 : Password exposed in debug information.
- CVE-2002-0918 : CGI script includes sensitive information in debug messages when an error is triggered.
- CVE-2003-1078 : FTP client with debug option enabled shows password to the screen.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Infoleak Using Debug Information | |
OWASP Top Ten 2007 | A6 | Information Leakage and Improper Error
Handling | CWE_More_Specific |
OWASP Top Ten 2004 | A10 | Insecure Configuration Management | CWE_More_Specific |
References:None